Académique Documents
Professionnel Documents
Culture Documents
The attached control matrix is the result of updating the post-implementation control matrix. The matrix outlines risks and controls.
Controls will be validated and tested in the 2000-01 file for SAP Application Controls for Accounts Payable (File number 1010043)
The FI-AP module process all invoices related to regular invoices, and invoices related to DPO’s and COR’s. Invoices related to
PO’s are entered in the MM module, and controls are tested there.
This matrix will be helpful in identifying the risks and controls over Accounts Payable processing. The 2000-01 fiscal year audit
work can be relied upon for a review of internal controls over SAP & Central Accounts Payable processing. However, it will still
be necessary to evaluate individual department’s business processes and sample transaction when conducting audits of individual
departmental expenditures.
1
04/04/11
Accounts Payable Risk Matrices
P
2 Creation or deletion of Financial H 1. Creation or deletion of a P 1,2. Select a
vendor master files Loss due vendor master file requires a sample of vendor
may not be authorized to vendor coding form master records
or detected. payments authorization by the created. Trace
made to appropriate users. information to
unapprove vendor coding
d vendor. 2. The vendor coding form will P form, and verify
(fraud) be attached with source proper
documents and the A/P authorization.
supervisor approves it. Then
the Accounts Admin Section 3. Verify
verifies AP Supervisor Accounts Admin
approval. reviews list of
modified/created
3. The Accounts Admin vendors.
Section reviews the SAP report D
(RFKABL00) listing modified
2
04/04/11
Accounts Payable Risk Matrices
6. Observe that an
error/warning
message appears
when erroneous
information is
entered, or
required
information is
omitted.
4 Sensitive fields, such Financial H 1. Alternative payees cannot P 1. List all master
3
04/04/11
Accounts Payable Risk Matrices
5 Duplicate vendor Incomplet M 1. A/P clerk checks for same P 1. Observe user
records may be e vendor name address, etc. when creating a vendor
created. reporting submitting or approving master record,
due to vendor master input form. and verify the
more than user checks for
one 2. A/P supervisor signs off on same name.
vendor vendor master input forms. P
number. 2. Select a
3. Standard naming sample of newly
Confusion conventions are used to reduce created vendor
when the possibility of duplicate P master records,
selecting vendor names and verify proper
vendor approval.
when
invoicing. 3. Observe
creation of vendor
names and verify
naming
conventions are
used.
4. Test vendor
master file for
duplicate records.
6 Housing / Election Financial H 1. Housing vendors are subject P 1. Perform same
vendors may not loss. to the same controls mentioned audit steps for
4
04/04/11
Accounts Payable Risk Matrices
5
04/04/11
Accounts Payable Risk Matrices
6
04/04/11
Accounts Payable Risk Matrices
D
4 Invalid invoices may Financial 1. Workflow process: P 1. Select a
be entered loss. Supervisory approval of sample of
invoice, and Finance A/P invoices and
review & approval verify supervisory
and central a/p
2. Original invoices are P staff review.
required as source document.
Supervisors must approve 2. Select a sample
paying on a fax or copy. of invoices and
trace information
to supporting
document.
5 Inaccurate or invalid Financial H 1. Intelligent and mandatory P 1. Observe the
data could be input loss. fields have been set up. entry of invoices,
when record first and the SAP
entered into SAP 2. SAP automatically required D controls for
supervisor approval of mandatory and
invoices. intelligent fields.
7
04/04/11
Accounts Payable Risk Matrices
5. Use ACL to
test for duplicate
invoices in a
variety of ways.
8 Invoice may be Financial H 1. Payee or amount can not be P 1. Observe
changed after it is loss. changed once supervisor has Finance AP staff
posted released PCD. trying to change
the payee or
amount after the
invoice is posted
to verify SAP
controls.
9 The original Misstated H 1. SAP will automatically P 1. Determine if
transaction is financial verify the following, before a SAP or Finance
inappropriately statements reversal entry is accepted: checks for
reversed out from the . • no cleared items reversal entries.
system. • original transaction was
Unpaid within the original posting 2. Verify that only
vendors module Finance AP
resulting supervisors have
in lost 2. Only Finance AP access to reverse
discounts, supervisors have access to do a document.
or late reversal documents (FB08,
fees. MR08), and a reason code is
required. Standard procedure
is to also enter information in
the text field.
10 Invoice may contain Financial H 1. The creator of the invoice or P 1. Select a sample
mathematical errors. loss manual PCD is responsible for of invoice
verifying the mathematical documents and
accuracy of the invoice. verify
mathematical
There are no subsequent accuracy of the
controls. invoice.
11 Invoices may be Financial H 1. Workflow process: P 1. Select a
incorrectly or loss from Supervisory approval of sample of
inaccurately keyed in duplicate invoice, and Finance A/P invoices and
through the FI module invoices. review & approval verify supervisory
and not through the and central a/p
MM module, which Misstated 2. Finance AP check for PO P staff review.
would bypass the financial reference on the invoice.
‘three way match’ statements 2&3. Observe
(PO, invoice and . 3. Finance AP identifies Finance AP
8
04/04/11
Accounts Payable Risk Matrices
12 Invoice is not applied Misstated H 1. Creator of the invoice enters P 1-3. Observe
towards the related RF financial the RF# in a user-defined field. Finance AP
statements process and verify
2. Workflow process: the reviewer
Supervisory approval of P checks for RF#.
invoice, and Finance A/P
review & approval. 4. We did not test
for invoices with
3. Finance A/P staff approving RF references,
the invoice look for the RF# on P that were not
the invoice, and verify the applied to the PO.
number is on the SAP invoice. We relied on the
other controls.
4. After Finance AP staff
approves the invoice, SAP P 5. No test
verifies matching data (ie necessary.
vendor number) and
automatically updates the RF.
9
04/04/11
Accounts Payable Risk Matrices
10
04/04/11
Accounts Payable Risk Matrices
11
04/04/11
Accounts Payable Risk Matrices
2 The tolerance limits Unauthori L 1. The tolerance limits used to P 1. Run the 1 – IV4 1=
for invoice zed large check on the three way match tolerance limit S
verification payments. process are set according to the report for AP 2 - IV3
procedures may be set City’s policies and standards. and MM, by
too high. The The standard is 10%, or $100 transaction key,
tolerance limit is used per line item. and compare the
to match the FI limits to the City
invoice with the MM 2. If the tolerance is exceeded, standards.
PO goods receipt. the system will not display the
PO line items. Then the AP 2. Observe the
clerk will not process the entry of invoices
invoice, and will notify and verify SAP
Purchasing of the discrepancy. warning message
and AP clerk
action.
3 Payment blocks may Financial 1. Payment blocks include: 1,2. Observe the IV3 1=
not be placed on loss due • Invoice amount exceeds entry of invoices O
invoices during the to PO amount by tolerance and verify SAP
invoice approval invoices limits warning message
process. being paid • The quantity on the and AP clerk
before invoice exceeds the action.
final quantity on the goods
approval. receipt (GR).
2=O
2. The system blocks the
payments automatically if one
of the above situations exists.
4 Purchase made Misstated M 1. Finance AP check for PO 1,2. Observe 1,2 – IV3
through PO is paid by financial reference on the invoice. Finance AP
PCD. statements process and 3 – IV4
. 2. Finance AP identifies verify they
invoices for commodities, and check for PO
investigates any commodities reference on the
not being paid against a DPO, invoice, and they
12
04/04/11
Accounts Payable Risk Matrices
13
04/04/11
Accounts Payable Risk Matrices
14
04/04/11
Accounts Payable Risk Matrices
2. Document
management’s
review of the
Payment
Proposal List
and Exception
List.
8 Payments could be Financial H 1. SAP automatically assigns a P 1. Select a 1 – D1 1, 2,
made more than once loss from clearing document number and sample of paid 3=S
for an invoice. duplicate clearing date when payment is invoices and 2 – D1
payments. made for open invoice item. verify they were
assigned a 3 – D1
2. SAP will not select cleared clearing
items for payment. document
number and
3. Print file disappears after it clearing date.
is printed, so checks can’t be
15
04/04/11
Accounts Payable Risk Matrices
3. Document
that the print file
disappears after
it is printed.
9 Payments made are Misstated M 1. The FI accounts payable and P 1. Select a 1 – D1 1=S
posted to the wrong financial FI general ledger are fully sample of
accounts. statements integrated within SAP. A invoices and 2 – D1
. posting to the vendor account verify the g/l
will automatically post to the account entry.
appropriate reconciliation
account in the general ledger P 2. Review 2=
on a real time basis. GL activity in g/l O
account number 222000 is the account #220000
only reconciliation account. to verify all
invoices were
posted to FI-GL.
10 The check number in Financial H 1. SAP automatically assigns a P 1. Identify 1 – D2 &D4 1=S
the check register may loss due sequential check number to process for
not be updated. to the each check, and records it in assigning both 2 – D1
difficulty the register electronic and
reconcilin manual check 3 – D1
g bank 2. The check register is used P numbers.
accounts, to keep track of physical check 4 – D1
and numbers. 2. Review the 2=S
noting check register
missing 3. Procedures exist for for missing
checks. reviewing the check number in check numbers.
the check register. The
procedures cover: 3. Observe 3=
• Reviewing missing checks procedures for: O
or checks number not • reviewing
running in sequence; missing
• Reconcile check register checks or
after each check run; check
• Are spoiled manual checks numbers
retained; • reconciling
• Checks printed as check register
overflow documents are after each run
denoted as “void” • spoiled
• Payment is made by the checks
first check in the series • voided checks
only, and others are
denoted as “void”. 4. Verify SAP
reports all
16
04/04/11
Accounts Payable Risk Matrices
17
04/04/11
Accounts Payable Risk Matrices
3. Verify 3=O
independent
review of
manual check
log.
4=S
4. Verify blank
checks are
secure.
16 Printed checks may be Financial M 1. The check printer is stored P 1. Observe the D1 1 =O
lost or stolen. loss in a public area, but is check run, and
supervised during the printing. review the
security methods
2. Checks are mailed out the used to make
same day they are printed. sure checks are
mailed out or
3. Printed checks kept for pick kept in a secure
up are kept in a secretary’s location.
desk, and locked in the safe for
the night.
17 Cancellation and re- Financial H 1. Controls are in place to D 1. Select a 1-3 – D11 1, 2,
issue of checks may loss. ensure that warrants already sample of re- 3=S
be improperly issued have not been cashed issued checks
processed. Misstatem before the re-issue of another and verify that
ent of warrant by checking with the the original
financial bank and SAP. D warrant was
statements never cashed.
. 2. Appropriate and authorized
documentation is received 2. Agree check
from the vendor for review information to
before the re-issue of another supporting
warrant. documentation.
18
04/04/11
Accounts Payable Risk Matrices
19